• Home
  • About
  • Subscribe
  • Conference
  • Events Calendar
  • Webcast151
  • MOTB
  • Log In
  • Register

Room 151

  • Treasury
  • Technical
  • Funding
  • Resources
  • LGPS
  • Development
  • 151 News
  • Blogs
    • David Green
    • Agent 151
    • Dan Bates
    • Richard Harbord
    • Stephen Sheen
    • James Bevan
    • Steve Bishop
    • Cllr John Clancy
    • David Crum
    • Graham Liddell
    • Ian O’Donnell
    • Jackie Shute
  • Interviews

Data Protection: New regulation is on the way, are you ready?

0
  • by Guest
  • in Blogs · LGPSi
  • — 12 Dec, 2017

Photo: Geralt/Pixabay, CC0

Stringent new rules for the management of data are on the way with implications for LGPS. Kirsty Bartlett explains the key stages for achieving compliance.

On 25 May 2018 the General Data Protection Regulations (GDPR) will come into force across the European Union. This represents a significant challenge to LGPS administering authorities: there is a lot to do from a pension perspective to demonstrate compliance with the new laws.

The underlying concepts of GDPR will be familiar from existing UK legislation (the Data Protection Act 1998), but some of the detailed requirements are tougher and the process for demonstrating compliance will change. The risks of getting it wrong are significantly greater – the maximum fine will increase from £500,000 to €20m (or 4% of global turnover if higher, although it’s not clear how this would apply to an administering authority).

Stage 1: Data mapping
Administering authorities are data controllers of the information they collect in order to pay pension benefits. Under GDPR data controllers must on request provide the Information Commissioner’s Office (ICO) with a written record of personal data they hold, the legal basis for doing so, how it is processed and safeguarded and how long it is held for.

This data map must cover administering authorities and any data processors. In practice, it is recommended that any other data controllers with whom administering authorities share personal data (e.g. scheme employers) are included in the data mapping process: the reputational risk of a data breach concerning LGPS data will inevitably spread to administering authorities even if they are not at fault.

Data mapping is the gateway to GDPR compliance: the remaining stages all flow from understanding how personal data is currently processed. It is a complex process that will inevitably require input from a number of third parties; administering authorities need to contact any third party administrator, their actuary, auditor, legal adviser, occupational health provider, AVC providers, etc. It is not uncommon for funds to involve a dozen, or more, data processors in their data map. And that’s before considering several hundred participating employers.

The key message is to start your data mapping now if it is not already underway. Asking data processors to complete a standard questionnaire can help to manage the process more efficiently and provide responses in a common format to ease analysis and further due diligence. Your legal adviser should be able to assist.

Stage 2: Updating processes

Once the data map is complete, administering authorities should consider if their current processes are adequate. GDPR is an opportunity to keep pace with best practice not just a form-filling exercise. Risk registers and policies should be reviewed and updated where necessary.

As a minimum, administering authorities should have a breach response plan to enable them to report serious breaches of GDPR to the ICO within the maximum 72 hour period; they should also have a process to comply with the new shorter timescales for dealing with subject access requests.

Public authorities are required to appoint a data protection officer and administering authorities are likely to have a wider GDPR compliance plan that will need to involve those responsible for LGPS funds. However, having a data protection champion within the LGPS team could be a useful practical step. The personal data held for LGPS fund purposes is necessarily a high risk area for administering authorities: it is exactly the type of data attractive to fraudsters and it is necessarily held for an extremely long time.

Stage 3: Reviewing contracts

All contracts with third party data processors will need to be reviewed and updated before May 2018. The requirements for contracts to comply with GDPR are more stringent than under current UK law and data processors will have direct legal obligations and liabilities. Some data processors may look to pass all, or some, of those liabilities back to data controllers under their contracts.

At least one large consultancy has already written to all clients looking to impose a standard GDPR contract amendment by notice: those who don’t object will be deemed to have accepted the new wording. Administering authorities will need to review any wording put to them, or require data processors to accept the fund’s own standard contract amendments.

Stage 4: Communications with members

All LGPS fund members should be issued with an updated privacy notice before May 2018, informing them what personal data is held, how it is processed and how long it will be held for. GDPR is more prescriptive, so current notices are unlikely to comply. GDPR also requires privacy notices to be easy to understand, which represents a real challenge given the mandatory content.

The good news is that administering authorities will not need to seek individual member consent to collect and process personal data for their LGPS funds. Obtaining consent under GDPR is a more difficult process and it must be capable of being withdrawn at any time. Instead, administering authorities can rely on their legal obligation to comply with the LGPS Regulations as the basis for which they collect and process personal data.

Some circumstances will require special consideration. Personal data relating to health or sexual orientation come with a higher standard of protection, so communications dealing with ill health pensions and survivor benefits need to be revisited. Administering authorities may decide it is impractical to issue a privacy notice to every potential dependant included on an expression of wish form, but they could tell members to inform their nominees that personal data has been provided to the LGPS fund.

GDPR is unlikely to change fundamentally how administering authorities process personal data, but there is a lot of legwork needed between now and May 2018 to demonstrate compliance. Brexit is no silver bullet: the Data Protection Bill currently going through Parliament will enshrine GDPR into UK law. Authorities needing additional resource can contact the LGPS Frameworks to engage an appropriate third party adviser.

The world will not stop turning on 25 May 2018 but, if you do have a data breach, the ICO will be more sympathetic if administering authorities have taken significant steps towards GDPR compliance before then.

Kirsty Bartlett

Kirsty Bartlett is a partner
at Squire Patton Boggs (UK) LLP.

Share

You may also like...

  • Border to Coast appoints interim CIO Border to Coast appoints interim CIO 25 Jan, 2018
  • Spanish bond sell-off spells trouble Spanish bond sell-off spells trouble 11 Apr, 2012
  • Learning curve – the power of strategic forecasting Learning curve – the power of strategic forecasting 22 Oct, 2018
  • Economic update on China Economic update on China 21 Aug, 2012

Leave a Reply Cancel reply

You must be logged in to post a comment.

  • Register to become a Room151 user

  • Latest tweets

    Room151 19 mins ago

    FDs’ Summit experts defend councils as MPs label property investment ‘risky’: As Room151’s FDs’ Summit conference explores local government’s investment in commercial property MPs once again lable it a “significant risk to government”. Once again MPs… dlvr.it/Rr7lZx pic.twitter.com/jPvcZjDAS4

    Room151 9 hours ago

    Global macro outlook: Virus versus vaccine: Sponsored article: Salman Ahmed argues monetary policy, a global vaccine rollout and fiscal stimulus are likely to put “upward pressure” on bond yields. Much like the latter half of 2020,[...] dlvr.it/Rr60nt pic.twitter.com/qsymBWmKmV

    Room151 1 day ago

    ‘Chasing yield’ not the best strategy as negative rates loom: Recent speculation that the UK may be heading toward negative interest rates prompts questions for treasury officers managing local authority funds at LATIF. Speculation is rife that the UK… dlvr.it/Rr3Mrj pic.twitter.com/wtxYAB20PO

    Room151 3 days ago

    Will new public procurement rules offer the best commercial results?: The government has issued a green paper on reforming procurement rules. Helen Randall and Rebecca Rees examine the proposals and argue they may not go far enough. The Cabinet… dlvr.it/Rqtw6T pic.twitter.com/9GiVTkL08U

    Room151 1 week ago

    The vaccine may help settle cash flows but inflation remains a risk: Sponsored article: Lauren Sewell examines the prospects for long-term borrowing as Brexit settles and vaccines are deployed against Covid-19. On the 9th October 2019 Whitehall sent… dlvr.it/RqZXCr pic.twitter.com/PzgOZOGQ0k

    Room151 1 week ago

    ESG in liquidity: Sponsored article: Gavin Haywood looks at the integration of ESG in Federated Hermes’ money market funds. Federated Hermes has over 300 public sector clients invested in our AAA rated money[...] dlvr.it/RqZX5f pic.twitter.com/E87sBXsay8

    Room151 1 week ago

    New realities of investing cash and liquidity: “What to do now?”: Sponsored article: Brian Buck looks at the “unique challenge” for cash management strategies. As investors assess the ongoing impact of the pandemic on their business, levels of cash and… dlvr.it/RqVbk9 pic.twitter.com/ZElVASmEUV

    Room151 1 week ago

    Extra finance promised by the government receives a broad welcome: Sponsored article: The financial pressures facing local authorities this year continue to pose challenges for council treasurers. While the launch of the UK’s Covid-19 vaccination… dlvr.it/RqTzTF pic.twitter.com/HCjH0pyHR5

    Room151 1 week ago

    A savvy approach to managing your cash: Sponsored article: Caroline Hedges examines the need for active cash management to achieve a higher than average return. Last year saw the already mountainous pile of negative-yielding debt around the[...] dlvr.it/RqTzMK pic.twitter.com/uP0RQYTJLt

    Room151 1 week ago

    Putting alternatives at the heart of multi-asset portfolios: Sponsored article: Nick Edwardson looks at the assets that provide the “most attractive opportunities”. We believe that asset allocation is the primary driver of investment returns and that the… dlvr.it/RqQ2Qt pic.twitter.com/WLBzvRRRUQ

    Room151 1 week ago

    Thriving in the pandemic: Avoiding the stragglers: Sponsored article: George Crowdy looks at the sectors providing opportunities for sustainable investment. Throughout much of 2020, we talked about why sustainable investing has thrived in the pandemic,… dlvr.it/RqQ2NQ pic.twitter.com/dxiPWKFsPl

    Room151 1 week ago

    The development of CCLA’s mental health benchmark: Sponsored article: Amy Browne examines the importance of investing in mental health in the workplace. We are living through a public health emergency in more ways than one. Physical health[...] dlvr.it/RqQ2Jx pic.twitter.com/o6yRSCX3oF

    Room151 2 weeks ago

    Brexit: What the EU trade deal means for the UK economy: Sponsored article: Hetal Mehta looks at the impact of Brexit on economic prospects. Four and a half years after voting to leave the EU, on Christmas Eve the UK finally[...] dlvr.it/RqLBDt pic.twitter.com/No62srfE8h

    Room151 2 weeks ago

    Cash dethroned: The quest for liquid yield: Sponsored article: Peter Hunt and George Carne ask how treasury departments can balance the need for yield and liquidity. The massive stimulus and waves of liquidity provided by central banks[...] dlvr.it/RqLBDj pic.twitter.com/05g6Zhu1kU

    Room151 2 weeks ago

    Richard Harbord: Delayed “capital determinations” make section 25 opinions a new crunch point: The severe pressure on local government budgets now means section 151 officers confront a tricky call on  whether they can make a judgement on the robustness… dlvr.it/RqLBDV pic.twitter.com/vTAbDKFzkI

    Room151 1 month ago

    PWLB Consultation: Analysis straight from Dickens: Helen Radall and Paul McDermott present a legal examination of the new PWLB borrowing rules as Charles Dickens might have imagined it. Free and easy PWLB (“Marley” to his friends)[...] dlvr.it/RnmwLq pic.twitter.com/yFxcPrQqEG

    Room151 1 month ago

    Room151’s top stories from a momentous year: 2020 was the year in which local government grappled with Covid-19, funding strains, controversy over borrowing rules and the threat of financial collapse. It has been an exhausting and historic[...] dlvr.it/RnlpZg pic.twitter.com/g3myNyox6J

  • Categories

    • 151 News
    • Agent 151
    • Blogs
    • Chris Buss
    • Cllr John Clancy
    • Dan Bates
    • David Crum
    • David Green
    • Development
    • Forum
    • Funding
    • Graham Liddell
    • Ian O'Donnell
    • Interviews
    • Jackie Shute
    • James Bevan
    • Jobs
    • LGPSi
    • Mark Finnegan
    • Recent Posts
    • Resources
    • Richard Harbord
    • Stephen Fitzgerald
    • Stephen Sheen
    • Steve Bishop
    • Technical
    • Treasury
    • Uncategorized
  • Archives

    • 2021
    • 2020
    • 2019
    • 2018
    • 2017
    • 2016
    • 2015
    • 2014
    • 2013
    • 2012
    • 2011
  • Previous story Greenpiece: The birth of green bonds
  • Next story Q&A: Jason Fletcher of LGPS Central on understanding investment management costs

© Copyright 2021 Room 151. Typegrid Theme by WPBandit.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies from this website.OK